Public bug reported: In some situations (a non-tiny zone size), BIND9.8 pre-9.8.2b1 fails to correctly validate NSEC3 records covering wildcard names.
This is recorded in BIND's CHANGES: 3175. [bug] Fix how DNSSEC positive wildcard responses from a NSEC3 signed zone are validated. Stop sending a unnecessary NSEC3 record when generating such responses. [RT #26200] Ubuntu's stock configuration enables DNSSEC validation (this is good), but with 12.04 LTS being likely to be in production use for many more years, it would be helpful if this fix was back-ported. See https://lists.isc.org/pipermail/bind-users/2014-November/094191.html for a recent example of this problem. Note that 14.04LTS uses BIND 9.9 which already contains this fix. This bug report is to request a fix to 12.04LTS. ** Affects: bind9 (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to bind9 in Ubuntu. https://bugs.launchpad.net/bugs/1395216 Title: NSEC3 validation fails for some wildcard records, in BIND pre-9.8.2b1 - consider updating 12.04LTS package To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/bind9/+bug/1395216/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs